def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe")
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property("/etc/icinga/ido2db.cfg","db_pass=icinga","db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args,reload=False)
return icinga_sql_password
def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe"
)
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property(
"/etc/icinga/ido2db.cfg", "db_pass=icinga",
"db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg"
.format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args, reload=False)
return icinga_sql_password
def _configure_ldap():
app.print_verbose("Copying config")
use_original_file("/etc/raddb/modules/ldap")
# General ldap setup.
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
'\\t*server =.*',
'\\tserver="ldaps://{0}"'.format(config.general.get_ldap_hostname()))
ldapconf.replace(
'\\t#identity = .*',
'\\tidentity = "cn=Manager,{0}"'.format(config.general.get_ldap_dn()))
ldapconf.replace(
'\\t#password = .*',
'\\tpassword = "******"'.format(re.escape(app.get_ldap_admin_password())))
ldapconf.replace('\\tbasedn = .*',
'\\tbasedn ="{0}"'.format(config.general.get_ldap_dn()))
ldapconf.replace('\\tfilter = .*', '\\tfilter ="(uid=%u)"')
ldapconf.replace('\\t#base_filter = .*',
'\\tbase_filter = "(employeeType=Sysop)"')
# Deal with certs
ldapconf.replace('\\t\\t# cacertfile.*=.*',
'\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt')
ldapconf.replace('\\t\\t# certfile.*=.*',
'\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt')
ldapconf.replace('\\t\\t# keyfile.*=.*',
'\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key')
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose("This server will later install the postfix server, abort client installation.")
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace(
"#myhostname = host.domain.tld",
"myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
) # monitor.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace(
"mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
)
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace(
"#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
)
postfix_main_cf.replace(
"#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
)
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def install_mail_server(args):
"""
Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
towards the internet. Also possible to send from localhost. Also installs mailx.
"""
version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
version_obj.check_executed()
app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION))
init_properties = PostFixProperties()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
# Hostname is full canonical name of machine.
postfix_main_cf.replace(
"#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name())
) # mailrelay.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Accept email from frontnet and backnet
postfix_main_cf.replace(
"inet_interfaces = localhost",
"inet_interfaces = 127.0.0.1,{0},{1}".format(init_properties.server_front_ip, init_properties.server_back_ip),
)
postfix_main_cf.replace(
"#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
"mynetworks = {0}, {1}, 127.0.0.0/8".format(
init_properties.server_network_front, init_properties.server_network_back
),
)
# Do not relay anywhere special, i.e straight to internet.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =")
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
# Stop warning about IPv6.
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def install_mail_server(args):
'''
Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
towards the internet. Also possible to send from localhost. Also installs mailx.
'''
version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
version_obj.check_executed()
app.print_verbose(
"Installing postfix-server version: {0}".format(SCRIPT_VERSION))
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
# Hostname is full canonical name of machine.
postfix_main_cf.replace(
"#myhostname = host.domain.tld", "myhostname = {0}".format(
config.general.get_mail_relay_domain_name())) # mailrelay.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(
config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Accept email from frontnet and backnet
postfix_main_cf.replace(
"inet_interfaces = localhost",
"inet_interfaces = 127.0.0.1,{0},{1}".format(server_front_ip,
server_back_ip))
postfix_main_cf.replace(
"#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
"mynetworks = {0}, {1}, 127.0.0.0/8".format(server_front_network,
server_back_network))
# Do not relay anywhere special, i.e straight to internet.
postfix_main_cf.replace("#relay_domains = $mydestination",
"relay_domains =")
postfix_main_cf.replace("#home_mailbox = Maildir/",
"home_mailbox = Maildir/")
# Stop warning about IPv6.
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _modify_configs():
'''
Modify openvas config files.
'''
app.print_verbose('Modify config.')
general.use_original_file("/etc/sysconfig/gsad")
gsadconf = scOpen("/etc/sysconfig/gsad")
gsadconf.replace("^GSA_ADDRESS=127\.0\.0\.1", "GSA_ADDRESS=0\.0\.0\.0")
gsadconf.replace("^#GSA_SSL_PRIVATE_KEY=", "GSA_SSL_PRIVATE_KEY=/var/lib/openvas/private/CA/serverkey.pem")
gsadconf.replace("^#GSA_SSL_CERTIFICATE=", "GSA_SSL_CERTIFICATE=/var/lib/openvas/CA/servercert.pem")
def _configure_ldap():
app.print_verbose("Copying config")
use_original_file("/etc/raddb/modules/ldap")
# General ldap setup.
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
'\\t*server =.*',
'\\tserver="ldaps://{0}"'.format(
config.general.get_ldap_hostname()
)
)
ldapconf.replace(
'\\t#identity = .*',
'\\tidentity = "cn=Manager,{0}"'.format(
config.general.get_ldap_dn()
)
)
ldapconf.replace(
'\\t#password = .*',
'\\tpassword = "******"'.format(
re.escape(app.get_ldap_admin_password())
)
)
ldapconf.replace(
'\\tbasedn = .*',
'\\tbasedn ="{0}"'.format(
config.general.get_ldap_dn()
)
)
ldapconf.replace(
'\\tfilter = .*',
'\\tfilter ="(uid=%u)"'
)
ldapconf.replace(
'\\t#base_filter = .*',
'\\tbase_filter = "(employeeType=Sysop)"'
)
# Deal with certs
ldapconf.replace(
'\\t\\t# cacertfile.*=.*',
'\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt'
)
ldapconf.replace(
'\\t\\t# certfile.*=.*',
'\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt'
)
ldapconf.replace(
'\\t\\t# keyfile.*=.*',
'\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key'
)
def _enable_ldap():
'''
Enable ldap auth.
'''
use_original_file("/etc/raddb/sites-enabled/default")
# Replace first occurance of "#\tldap" with "\tldap"
x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s" %
"/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp"
)
x("cp -f /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default")
x("rm -f /etc/raddb/sites-enabled/default.tmp")
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthName \"Nagios Access\"",
"AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthUserFile /etc/nagios/passwd",
"AuthUserFile /etc/icinga/passwd", False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(
constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose(
"This server will later install the postfix server, abort client installation."
)
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _modify_configs():
'''
Modify openvas config files.
'''
app.print_verbose('Modify config.')
general.use_original_file("/etc/sysconfig/gsad")
gsadconf = scOpen("/etc/sysconfig/gsad")
gsadconf.replace("^GSA_ADDRESS=127\.0\.0\.1", "GSA_ADDRESS=0\.0\.0\.0")
gsadconf.replace(
"^#GSA_SSL_PRIVATE_KEY=",
"GSA_SSL_PRIVATE_KEY=/var/lib/openvas/private/CA/serverkey.pem")
gsadconf.replace("^#GSA_SSL_CERTIFICATE=",
"GSA_SSL_CERTIFICATE=/var/lib/openvas/CA/servercert.pem")
def _enable_ldap():
'''
Enable ldap auth.
'''
use_original_file("/etc/raddb/sites-enabled/default")
# Replace first occurance of "#\tldap" with "\tldap"
x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s"
%
"/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp"
)
x("cp -f /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default"
)
x("rm -f /etc/raddb/sites-enabled/default.tmp")
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthName \"Nagios Access\"","AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthUserFile /etc/nagios/passwd","AuthUserFile /etc/icinga/passwd",False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def _disable_all_repos_in_file(repofile):
'''
Disable all repos in a config file by setting "enabled" to 0 in config section.
'''
# Parse the configuration-file
c = ConfigParser.SafeConfigParser()
c.read(repofile)
# Set "enabled" to 0 for every section in config file (one section per repo defined.)
for section in c.sections():
back = c.set(section,"enabled","0")
app.print_verbose("Disabled [{0}] in file :{1}".format(section,repofile))
# Flush configparser writes to file.
# Make a backup of original file, just in case transacion fails
use_original_file(repofile)
with open(repofile, 'wb') as repofile:
c.write(repofile)
def _disable_all_repos_in_file(repofile):
'''
Disable all repos in a config file by setting "enabled" to 0 in config section.
'''
# Parse the configuration-file
c = ConfigParser.SafeConfigParser()
c.read(repofile)
# Set "enabled" to 0 for every section in config file (one section per repo defined.)
for section in c.sections():
back = c.set(section, "enabled", "0")
app.print_verbose("Disabled [{0}] in file :{1}".format(
section, repofile))
# Flush configparser writes to file.
# Make a backup of original file, just in case transacion fails
use_original_file(repofile)
with open(repofile, 'wb') as repofile:
c.write(repofile)
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword), False)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass),
False)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file(
"/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/translation.xml",
"default_locale=\"en\"",
"default_locale=\"en\" default_timezone=\"CET\"", False)
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword),
False
)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga",
"mysql://icinga:{0}".format(icinga_db_pass),
False
)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file("/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property("/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"","default_locale=\"en\" default_timezone=\"CET\"",False)
def install_mail_server(args):
"""
Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
towards the internet. Also possible to send from localhost. Also installs mailx.
"""
version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
version_obj.check_executed()
app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION))
init_properties = PostFixProperties()
# Install required packages
x("yum install -y postfix augeas")
#Initialize augeas
augeas = Augeas(x)
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
# Hostname is full canonical name of machine.
postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name())) # mailrelay.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Accept email from all IP addresses for this server
augeas.set_enhanced("/files/etc/postfix/main.cf/inet_interfaces", ",".join(init_properties.server_ips))
#Allow networks
augeas.set_enhanced("/files/etc/postfix/main.cf/mynetworks", ",".join(init_properties.server_networks))
# Do not relay anywhere special, i.e straight to internet.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =")
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
# Stop warning about IPv6.
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
#Set virtual_alias_maps and virtual_alias_domains in main.cf
augeas.set("/files/etc/postfix/main.cf/virtual_alias_maps", "hash:/etc/postfix/virtual")
if init_properties.virtual_alias_domains:
augeas.set("/files/etc/postfix/main.cf/virtual_alias_domains", init_properties.virtual_alias_domains)
#Add virtual aliases if they do not already exist
for virt_alias_from, virt_alias_to in init_properties.virtual_aliases.iteritems():
existing = augeas.find_entries("/files/etc/postfix/virtual/pattern[. = '%s']" % virt_alias_from)
if len(existing) == 0:
x("echo \"%s %s\" >> /etc/postfix/virtual" % (virt_alias_from, virt_alias_to))
else:
augeas.set_enhanced("/files/etc/postfix/virtual/pattern[. = '%s']/destination" % virt_alias_from,
virt_alias_to)
if len(init_properties.virtual_aliases) > 0:
x("postmap /etc/postfix/virtual")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
x("service postfix restart")
# Send test mail to the syco admin
# and to any virtual alias emails
send_test_mail((None, config.general.get_admin_email()),
init_properties.virtual_aliases.keys())
